A CSRF issue was found in DanWin Hosting CMS that is used to offer shared hosting solutions for Tor Anonymity Services.

The resulting aftermath might de-anonymise the hosting operator and its users.

User actions on the web-user FTP file manager in var/www/html/files.php like deleting/adding/modifying files and directories in hosting account aren't protected from CSRF and hence susceptible to likely Request Forgery attacks by any attacker.

You are advised to add a PHP script that verifies user actions and acts as a prevention against CSRF.

The vendor has confirmed the vulnerability and is working towards a fix.
* Any updates will be notified on the blog *